CVE-2012-10049
published 2025-08-08CVE-2012-10049: WebPageTest version 2.6 and earlier contains an arbitrary file upload vulnerability in the resultimage.php script. The application fails to validate or…
PriorityP269critical9.3CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
1.06%
60.4th percentile
WebPageTest version 2.6 and earlier contains an arbitrary file upload vulnerability in the resultimage.php script. The application fails to validate or sanitize user-supplied input before saving uploaded files to a publicly accessible directory. This flaw allows remote attackers to upload and execute arbitrary PHP code, resulting in full remote code execution under the web server context.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wpo_foundation | webpagetest | <= 2.6 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unauthenticated POST requests to resultimage.php, especially those uploading files with PHP extensions (.php, .php3, .phtml, etc.) to the web-accessible directory. ↗
- →Alert on web server execution of newly created PHP files in the WebPageTest results/upload directory, which may indicate successful exploitation and remote code execution. ↗
- →Flag any HTTP requests that result in PHP code execution originating from the web server process following a file upload to WebPageTest, as this indicates post-exploitation activity. ↗
- ·Vulnerability is present in WebPageTest version 2.6 and earlier; verify the installed version before applying detection rules to avoid false positives on patched instances. ↗
- ·The uploaded malicious file is placed in a publicly accessible web directory, meaning detection should also cover direct HTTP GET requests to newly uploaded files in that directory, not just the upload POST. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
https://github.com/catchpoint/WebPageTesthttps://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/webpagetest_upload_exec.rbhttps://www.broadcom.com/support/security-center/attacksignatures/detail?asid=26148https://www.exploit-db.com/exploits/19790https://www.exploit-db.com/exploits/20173https://www.vulncheck.com/advisories/webpagetest-arbitrary-php-file-upload-rcehttps://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/webpagetest_upload_exec.rbhttps://www.exploit-db.com/exploits/19790https://www.exploit-db.com/exploits/20173
2025-08-08
Published